diff --git a/controllers/kustomization_decryptor_test.go b/controllers/kustomization_decryptor_test.go
index 02eb4140..abfc675c 100644
--- a/controllers/kustomization_decryptor_test.go
+++ b/controllers/kustomization_decryptor_test.go
@@ -60,9 +60,17 @@ func TestKustomizationReconciler_Decryptor(t *testing.T) {
 
 	cli, err := api.NewClient(api.DefaultConfig())
 	g.Expect(err).NotTo(HaveOccurred(), "failed to create vault client")
+	cli.SetToken(os.Getenv("VAULT_TOKEN"))
 
+	enginePath := "sops"
+	err = cli.Sys().Mount(enginePath, &api.MountInput{
+		Type:        "transit",
+		Description: "backend transit used by SOPS",
+	})
+	g.Expect(err).NotTo(HaveOccurred(), "failed to mount transit on engine path")
 	// create a master key on the vault transit engine
 	path, data := "sops/keys/firstkey", map[string]interface{}{"type": "rsa-4096"}
+
 	_, err = cli.Logical().Write(path, data)
 	g.Expect(err).NotTo(HaveOccurred(), "failed to write key")
 
@@ -127,7 +135,7 @@ func TestKustomizationReconciler_Decryptor(t *testing.T) {
 		StringData: map[string]string{
 			"pgp.asc":          string(pgpKey),
 			"age.agekey":       string(ageKey),
-			"sops.vault-token": "secret",
+			"sops.vault-token": os.Getenv("VAULT_TOKEN"),
 		},
 	}
 
diff --git a/controllers/suite_test.go b/controllers/suite_test.go
index 51149021..2a4fafff 100644
--- a/controllers/suite_test.go
+++ b/controllers/suite_test.go
@@ -37,8 +37,10 @@ import (
 	"github.com/fluxcd/pkg/runtime/testenv"
 	"github.com/fluxcd/pkg/testserver"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
-	"github.com/hashicorp/vault/api"
-	"github.com/ory/dockertest"
+	vaulttransit "github.com/hashicorp/vault/builtin/logical/transit"
+	vaulthttp "github.com/hashicorp/vault/http"
+	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/hashicorp/vault/vault"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@@ -121,12 +123,12 @@ func runInContext(registerControllers func(*testenv.Environment), run func() err
 	}
 
 	// Create a Vault test instance.
-	pool, resource, err := createVaultTestInstance()
+	cluster, err := createVaultTestInstance()
 	if err != nil {
 		panic(fmt.Sprintf("Failed to create Vault instance: %v", err))
 	}
 	defer func() {
-		pool.Purge(resource)
+		cluster.Cleanup()
 	}()
 
 	runErr := run()
@@ -374,44 +376,39 @@ func createArtifact(artifactServer *testserver.ArtifactServer, fixture, path str
 	return fmt.Sprintf("%x", h.Sum(nil)), nil
 }
 
-func createVaultTestInstance() (*dockertest.Pool, *dockertest.Resource, error) {
-	// uses a sensible default on windows (tcp/http) and linux/osx (socket)
-	pool, err := dockertest.NewPool("")
-	if err != nil {
-		return nil, nil, fmt.Errorf("Could not connect to docker: %s", err)
+func createVaultTestInstance() (*vault.TestCluster, error) {
+	// this is set to prevent "certificate signed by unknown authority" errors
+	os.Setenv("VAULT_SKIP_VERIFY", "true")
+	os.Setenv("VAULT_INSECURE", "true")
+	t := &testing.T{}
+	coreConfig := &vault.CoreConfig{
+		LogicalBackends: map[string]logical.Factory{
+			"transit": vaulttransit.Factory,
+		},
 	}
+	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
+		HandlerFunc: vaulthttp.Handler,
+		NumCores:    1,
+	})
+	cluster.Start()
+
+	if err := vault.TestWaitActiveWithError(cluster.Cores[0].Core); err != nil {
+		return nil, fmt.Errorf("test core not active: %s", err)
+	}
+
+	testClient := cluster.Cores[0].Client
 
-	// pulls an image, creates a container based on it and runs it
-	resource, err := pool.Run("vault", vaultVersion, []string{"VAULT_DEV_ROOT_TOKEN_ID=secret"})
+	status, err := testClient.Sys().InitStatus()
 	if err != nil {
-		return nil, nil, fmt.Errorf("Could not start resource: %s", err)
+		return nil, fmt.Errorf("cannot checking Vault client status: %s", err)
+	}
+	if status != true {
+		return nil, fmt.Errorf("waiting on Vault server to become ready")
 	}
 
-	os.Setenv("VAULT_ADDR", fmt.Sprintf("http://127.0.0.1:%v", resource.GetPort("8200/tcp")))
-	os.Setenv("VAULT_TOKEN", "secret")
+	os.Setenv("VAULT_ADDR", testClient.Address())
+	os.Setenv("VAULT_TOKEN", testClient.Token())
 	// exponential backoff-retry, because the application in the container might not be ready to accept connections yet
-	if err := pool.Retry(func() error {
-		cli, err := api.NewClient(api.DefaultConfig())
-		if err != nil {
-			return fmt.Errorf("Cannot create Vault Client: %w", err)
-		}
-		status, err := cli.Sys().InitStatus()
-		if err != nil {
-			return err
-		}
-		if status != true {
-			return fmt.Errorf("Vault not ready yet")
-		}
-		if err := cli.Sys().Mount("sops", &api.MountInput{
-			Type: "transit",
-		}); err != nil {
-			return fmt.Errorf("Cannot create Vault Transit Engine: %w", err)
-		}
-
-		return nil
-	}); err != nil {
-		return nil, nil, fmt.Errorf("Could not connect to docker: %w", err)
-	}
 
-	return pool, resource, nil
+	return cluster, nil
 }
diff --git a/internal/sops/hcvault/keysource_test.go b/internal/sops/hcvault/keysource_test.go
index 25812792..c4e27e86 100644
--- a/internal/sops/hcvault/keysource_test.go
+++ b/internal/sops/hcvault/keysource_test.go
@@ -39,6 +39,7 @@ var (
 // make use of the various `test*` variables.
 func TestMain(m *testing.M) {
 	// this is set to prevent "certificate signed by unknown authority" errors
+	os.Setenv("VAULT_SKIP_VERIFY", "true")
 	os.Setenv("VAULT_INSECURE", "true")
 	t := &testing.T{}
 	coreConfig := &vault.CoreConfig{
@@ -56,32 +57,19 @@ func TestMain(m *testing.M) {
 		logger.Fatalf("test core not active: %s", err)
 	}
 
-	api.DefaultConfig()
 	testClient := cluster.Cores[0].Client
-	testVaultToken = testClient.Token()
-	testVaultAddress = testClient.Address()
 
-	// Wait until Vault is ready to serve requests
-	if err := func() error {
-		cfg := api.DefaultConfig()
-		cfg.Address = testVaultAddress
-		cli, err := api.NewClient(cfg)
-		cli.SetToken(testClient.Token())
-		if err != nil {
-			return fmt.Errorf("cannot create Vault client: %w", err)
-		}
-		status, err := cli.Sys().InitStatus()
-		if err != nil {
-			return err
-		}
-		if status != true {
-			return fmt.Errorf("waiting on Vault server to become ready")
-		}
-		return nil
-	}(); err != nil {
-		logger.Fatalf("could not connect to local vault server: %s", err)
+	status, err := testClient.Sys().InitStatus()
+	if err != nil {
+		logger.Fatalf("cannot checking Vault client status: %s", err)
+	}
+	if status != true {
+		logger.Fatal("waiting on Vault server to become ready")
 	}
 
+	testVaultToken = testClient.Token()
+	testVaultAddress = testClient.Address()
+
 	if err := enableVaultTransit(testVaultAddress, testVaultToken, testEnginePath); err != nil {
 		logger.Fatalf("could not enable Vault transit: %s", err)
 	}